Cybersecurity , Visibility & Monitoring
CISA Red Team Finds Alarming Critical Infrastructure Risks
Red Team Finds Vulnerabilities in Critical Infrastructure Org’s Security FrameworkThe U.S. cyber defense agency is urging critical infrastructure operators to learn from the experience of a volunteer red teaming test and not rely too heavily on host-based endpoint detection and response solutions at the expense of network layer protections.
See Also: The Vital Role of OT-Native Network Visibility and Security Monitoring Amid IT Frameworks
An unnamed critical infrastructure organization that sought a red teaming assessment from the Cybersecurity and Infrastructure Security Agency lacked an adequate security framework to detect or prevent malicious activity from the outset, the agency said Thursday.
Top officials at the critical infrastructure organization "deprioritized the treatment of a vulnerability their own cybersecurity team identified" while committing significant miscalculations in their risk-based decision-making process, CISA said. The red team compromised the organization's domain and several sensitive business systems after gaining initial access through a web shell left by a third party's previous security assessment.
CISA declined to comment on this story and did not disclose which critical infrastructure sector the organization belongs to. The agency's red team initially carried out unsuccessful phishing attempts before discovering the web shell left from a previous vulnerability disclosure program.
The report advises critical infrastructure owners and operators to embed security into product architecture throughout the entire software development life cycle, to eliminate default passwords and to mandate multifactor authentication. CISA said the organization's staff could benefit from continuous enhancements to their technical competency, as well as "sufficient resources" to ensure they can adequately protect their networks.
Critical infrastructure operators should also validate their security controls, test their full inventories and design products so that a single security control flaw "does not result in compromise of the entire system."
The organization that received the assessment lacked proper identity management, CISA said, adding that its network defenders failed to implement a centralized identity management system in their Linux network and were forced to manually query every Linux host for artifacts to track the red team's lateral movement. A properly configured network may also have been able to block the red team from breaching the organization's perimeter, the report said.